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Abstract Fiat-Shamir is a mainstream construction paradigm 
of lattice-based signature schemes. While its theoretical sec- 
urity is well-studied, its implementation security in the presence 
of leakage is a relatively under-explored topic. Specifically, 
even some side-channel attacks on lattice-based Fiat-Shamir 
signature (FS-Sig) schemes have been proposed since 2016, 
little work on the leakage resilience of these schemes appears. 
Worse still, the proof idea of the leakage resilience of FS-Sig 
schemes based on traditional number-theoretic assumptions 
does not apply to most lattice-based FS-Sig schemes. 

For this, we propose a framework to construct fully leakage 
resilient lattice-based FS-Sig schemes in the bounded memory 
leakage (BML) model. The framework consists of two parts. 
The first part shows how to construct leakage resilient FS-Sig 
schemes in BML model from leakage resilient versions of non- 
lossy or lossy identification schemes, which can be instantiated 
based on lattice assumptions. The second part shows how to 
construct fully leakage resilient FS-Sig schemes based on 
leakage resilient ones together with a new property called state 
reconstruction. We show almost all lattice-based FS-Sig 
schemes have this property. 

As a concrete application of our fundamental framework, we 
apply it to existing lattice-based FS-Sig schemes and provide 
analysis results of their security in the leakage setting. 


Keywords leakage resilience, lattice-based signatures, Fiat- 
Shamir paradigm, side-channel attacks, post-quantum crypto- 
graphy 


1 Introduction 

The advent of quantum computers will break current public- 
key infrastructures based on RSA, DLP and ECC. In 2016, 
National Institute of Standards and Technology (NIST) 
announced a competition [1] to develop standards for post- 
quantum cryptography, including digital signature, encryption 
and key establishment protocol. Due to its mathematical 
elegance, implementation simplicity and practical efficiency, 
lattice-based cryptography stands out to be one of the most 
promising potential candidates, and has gained a lot of 
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attention from research community in recent years. There were 
five lattice-based signature schemes submitted to NIST, two of 
which were the third-round finalists, following the hash-and- 
sign [2] and Fiat-Shamir paradigm [3], respectively. In the 
paper, we focus on signatures using the Fiat-Shamir paradigm, 
which is also the structure deployed in DLP/ECC-based 
signature infrastructures. 

Fiat-Shamir signatures Fiat-Shamir signatures refer to 
signature schemes constructed from a canonical identification 
(ID) protocol via the Fiat-Shamir transformation [4]. The 
canonical ID scheme is a three-move protocol in the form of 
commitment-challenge-response. In the protocol, the prover 
sends a commitment a to the verifier and the verifier returns a 
random challenge c. Finally the prover sends a response z and 
the verifier accepts if V(a,c,z) = 1. In the Fiat-Shamir 
signature (FS-Sig) scheme, the challenge c is generated non- 
interactively and is the output of a random oracle applied on 
the commitment a and a signing message u. Lyubashevsky [5] 
generalized this to “Fiat-Shamir with aborts” to construct 
signature schemes based on lattice assumptions. Since the 
pioneering work of Lyubashevsky, a series of work [3,6—9] 
about lattice-based FS-Sig schemes has been developed. 

Side-channel attacks on Fiat-Shamir signatures In con- 
tract to the large body of work targeting theoretical security 
and efficient implementation of lattice-based primitives, the 
implementation security in the presence of leakage is less 
explored. In 2016, Bruinderink et al. [10] proposed the first 
side-channel attack on a lattice-based FS-Sig scheme called 
BLISS [7] by attacking the discrete Gaussian samplers used to 
generate randomness in the signing algorithm. However, the 
attack target in [10] is the “research-oriented” implementation, 
the subsequent work [11] proposed a cache attack on BLISS 
and BLISS-B [12] in the realistic setting. Independently, [13] 
investigated the implementation security of BLISS by 
presenting side-channel attacks on the rejection sampling, 
Gaussian sampling and the unprotected multiplication. 

Since lattice-based FS-Sig schemes have a similar structure 
and almost all include the building blocks such as Gaussian 
sampling and rejection sampling, they may also be vulnerable 
to side-channel attacks on BLISS. One way to eliminate the 
threaten of leakage is leakage resilient cryptography [14,15], 
however, there is little work on leakage resilient lattice-based 
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signature schemes. 

Previous work [16] showed that FS-Sig schemes are leakage 
resilient (LR) in the bounded memory leakage (BML) model, 
in which the adversary is allowed to obtain arbitrary but 
overall-bounded leakage of the secret key, and an independent 
work [15] showed a similar result that FS-Sig schemes are 
fully leakage resilient (FLR), meaning that all the state 
information is allowed to leak. Soon after, [17] extended the 
result to the continuous memory leakage model, in which the 
adversary is allowed to obtain arbitrary and unbounded 
leakage with the restriction that the amount of leakage 
between two adjacent periods is bounded. Those FS-Sig 
schemes in [15—17] are based on traditional number-theoretic 
assumptions, then it comes a natural question: 


Whether latticed-based FS -S ig schemes are still (fully) 
leakage resilient in BML model or not? 


There are multiple leakage models in the field, and they 
mainly differ in the information available to the adversary. 
Among those models, the bounded memory leakage (BML) 
model is widely applicable due to simplicity and elegance 
[18]. On the other hand, those well-known constructions in 
BML model could directly serve as basic building blocks in 
continuous memory leakage model. Therefore, the leakage 
resilience of lattice-based FS-Sig schemes in BML model is 
explored in this paper. 


1.1 Our results 
Our results are two-fold. 

First of all, we present a framework to construct fully 
leakage resilient FS-Sig (FLR-FS-Sig) schemes and instantiate 
it with lattice assumptions. The framework is summarized in 
Fig. 1. 


LRSound ID ss 


Fig. 1 The high-level overview of our framework 


Table 1 Leakage resilience of SIS-based FS-Sig schemes 


- In the first part, we show how to construct leakage 
resilient FS-Sig (LR-FS-Sig) schemes from ID. Concre- 
tely, we generalize the properties of ID to the leakage 
setting. We show that if the underlying ID is leakage 
resilient and sound (LRSound), the FS-Sig scheme is 
leakage resilient in BML model by the rewinding 
technique. Similarly, we introduce the Katz-Wang 
technique to construct LR-FS-Sig schemes if the 
underlying ID is leakage resilient and lossy (LRLossy). 
Besides, we instantiate LRSound ID and LRLossy ID 
based on the SIS and LWE problem, respectively. 

- Second, we define a property called state reconstruc- 
tion, which can be used to construct fully leakage 
resilient signature schemes based on leakage resilient 
ones. Then we show almost all lattice-based FS-Sig 
schemes have such property. 


Finally, we revisit the security of existing lattice-based FS- 
Sig schemes [3,6—9] in the leakage setting using our frame- 
work. The results are summarized in Tables 1 and 2. 


1.2 Our techniques 
Leakage resilience In the strategy of proving leakage resili- 
ence of FS-Sig schemes in [15-17], the fact that a given 
public key corresponds to many secret keys is crucial, how- 
ever, it fails for most lattice-based signature schemes, impl- 
ying that new proof techniques are needed in our cases. 
According to properties, ID can be divided into non-lossy 
(in this paper we refer to sound ID) and lossy ID. Interestin- 
gly, we observe that there are many secret keys corresponding 
to the public key in sound ID and only one valid secret key 
exists in lossy ID. Hence, we can prove the leakage resilience 
of FS-Sig schemes by the rewinding technique used in 
[15-17] if the underlying ID is sound. Concretely, we first 
generalize ID to the leakage setting and define leakage resi- 
lient and sound (LRSound) ID having the following proper- 
ties: (1) min-entropy, (2) non-abort honest-verifier zero- 
knowledge (naHVZK) and (3) leakage resilient soundness 
(LRSoundness) which requires the soundness still holds even 
given the leakage of the secret key. We prove that if the 
underlying ID is LRSound, the FS-Sig scheme is leakage 


SIS-based ID 


Related work Optimization techniques Min-entropy naHVZK LRSoundnss State reconstruction Leakage resilience 
Lyul2-Sig [6] = N V V FLR 
NTRU-SIS V V V 
BLI LR 
SS [7 bimodal Gaussion V V x 


Table 2 Leakage resilience of LWE-based FS-Sig schemes. “?” denotes that security against leakage is unknown by our analysis 


LWE-based ID 


Related work Optimization techniques Mincentropy naHVZK LRKI LRLossiness State reconstruction Leakage resilience 
BG14-Sig [8] signature compression V vV V V V FLR 
signature compression V V V V V 
Dilithium [3] MLWE with uniform error V V x V y ? 
public key compression V V x V y 
signature compression V V V V V 
great REWE with en error V V x V V ? 
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resilient in BML model. The proof is similar to that in the 
leak-free setting and the challenge lies in how to prove SIS- 
based ID instantiation has the above three properties, 
especially the LRSoundness property. The proof idea of 
proving leakage resilient soundness is that if there exists an 
adversary A breaks such property, we can extract a solution of 
SIS by rewinding A. For this, we need to show that the non- 
uniqueness of the secret key still holds given bounded leakage 
of the secret key. 

In terms of lossy ID, since only one valid secret key exists 
for a given public key, the proof strategy in [15—17] is no 
longer applicable. Instead, we present a different proof 
inspired by Katz-Wang [19]. Similar to non-lossy case, we 
also generalize ID to the leakage setting and define leakage 
resilient and lossy (LRLossy) ID having the following 
properties: (1) min-entropy, (2) naHVZK, (3) leakage resilient 
key indistinguishability (LRKI) and (4) leakage resilient 
lossiness (LRLossiness). We prove that if the underlying ID is 
LRLossy, the FS-Sig scheme is leakage resilient in BML 
model using the Katz-Wang technique. The challenge lies in 
how to prove LWE-based ID instantiation satisfies the latter 
two properties. 

In LWE-based ID, there are two indistinguishable modes of 
the key generation algorithm, in the normal mode the public 
key is generated with an LWE instance and in the lossy mode 
the public key is sampled at random. Obviously, the crux of 
proving the LRKI property is to prove the normal public key 
is still indistinguishable from the lossy one even though the 
adversary obtains bounded information of the secret key, 
which is exactly the entropic LWE problem [20,21] stating 
that the LWE problem is still hard as long as the secret has 
sufficient min-entropy. Unfortunately, in LWE-based ID, the 
secret key not only includes the secret, but also the error of 
LWE. Hence the leakage of secret key implies the 
simultaneous leakage of secret and error in LWE, and we 
cannot apply the entropic LWE to our proof directly. This 
problem can be solved by reducing the LWE problem whose 
secret key and error leak simultaneously to the standard 
entropic LWE problem. Finally, to prove the LRLossiness 
property, we prove only one challenge exists for a given 
commitment and the probability of finding the challenge given 
the lossy key is negligible. 

Full leakage resilience In the existing proof of full leakage 
resilience of signatures, it is required that signatures leak 
nothing of the secret key when randomness is leaked. 
However, this condition does not hold for lattice-based FS-Sig 
schemes, not even for FS-Sig schemes based on traditional 
number-theoretic assumptions, which is conflicted with results 
in previous work [15,17]. Specifically, the signature of FS-Sig 
schemes is in the form of z= y+Sc and the randomness y is 
used to mask the secret key S so that the signature z is 
independent from S. If the randomness y is leaked, z and S are 
not independent any more, namely the signature leaks some 
information of the secret key. Since the signature is public, the 
adversary may recover the secret key after observing sufficient 
signatures in the full leakage setting and it is exactly the way 
of side-channel attacks on BLISS in [10,11]. Nevertheless, the 
min-entropy of the secret key decreased by signatures in such 
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way is not considered in the proofs of [15,17]. 

Since the leakage of the secret key caused by signatures is 
unavoidable, we expect such leakage is bounded. In other 
words, we need to prove the min-entropy of the secret key 
does not decrease too much given signatures. Based on this 
idea, we borrow techniques from the work on leakage resilient 
zero-knowledge in [22]. Specifically, we define the state 
reconstruction property, which requires that on inputs a 
random signature o, sk and a message pu, there exists a 
simulator outputting the randomness r such that o = Sign 
(sk,u,r). Using this property, we can reduce the full leakage 
resilience of signature schemes to the leakage resilience. This 
conclusion holds for all leakage resilient signatures, not 
limited to lattice-based FS-Sig schemes. Then we show lattice- 
based FS-Sig schemes of the form z=y+Sc satisfy state 
reconstruction property, thus obtaining fully leakage resilient 
schemes. 


1.3 Related work 

Katz-Wang technique of Fiat-Shamir signatures To cons- 
truct signature schemes with tight security reduction, [23] 
generalized the proof idea in [19] to FS-Sig schemes and 
proved they are tightly secure in the random oracle model. 
Besides the tight security, [24] showed that the Katz-Wang 
technique is also used to prove the security of FS-Sig schemes 
in the quantum random oracle model where the adversary has 
quantum access to the random oracle and classical access to 
the signing oracle. Similar techniques may be applied to the 
leakage setting to obtain leakage resilient and tightly secure 
LWE-based FS-Sig schemes in the quantum random oracle 
model. 

Leakage resilient cryptography Leakage resilient cryptogra- 
phy is introduced to construct secure cryptography primitives 
in the presence of leakage attacks [25,26] and a number of 
leakage resilient cryptography schemes have been proposed 
[14-17,20,27-31]. 

Existing leakage resilient signature schemes in the random 
oracle model are mainly based on the Fiat-Shamir paradigm 
[15-17] and we briefly introduce other signature schemes in 
the standard model. Katz and Vaikuntanathan [15] presented 
the first leakage resilient signature scheme in the standard 
model with bounded leakage. Later [17,29] extended it to the 
continuous leakage setting. 

[15] also put forward a stronger notion of the fully leakage 
resilient signature scheme, requiring that the scheme is secure 
even in a setting where the adversary may obtain bounded 
information of all the randomness used through the lifetime of 
the system but no signature scheme meets the notion in the 
standard model till [31] appeared. [31] presented the first fully 
leakage resilient signature scheme and the construction can 
extend to the continuous leakage model. A concurrent work 
[32] also constructed a fully leakage resilient signature scheme 
in the continuous memory leakage model. 

Besides, there are leakage resilient signature schemes in 
other models, such as the auxiliary-input model [33], a weaker 
model than BML that allows the adversary to see a computa- 
tionally hard-to-invert function of the secret key, or a security 
model called graceful degradation [34] which investigates the 
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leakage resilience of short signatures. 

It is worth noting that almost all of the above signature 
schemes are based on traditional number-theoretic assump- 
tions, which are insecure in the quantum computing setting. 


2 Preliminaries 

Notations Let q € N be a prime and write Z, for the integers 
in the range (—q/2,q/2]. Vectors and matrices are represented 
by bold lower case letters and bold upper case letters, 
respectively. We recall the /,-norm of a vector v is defined as 


Ivii» = (bi)? 


for p > 0 and its J..-norm as ||vllo = max;(v;). In this paper we 
write ||v|| for the l} norm. If S is a set, |S | denotes its size and 
x <— S means that x is chosen uniformly at random form S. Let 
D be a distribution, we use the notation x «— D to mean x is 
sampled according to the distribution D. 


2.1 Min-entropy 
Let X and Y be random variables. The min-entropy of X is 


Hyo(X) © —log(max Pr[X = x]. 


The average min-entropy of X conditioned on Y is 


HXI) Ë —log( E 27), 

The min-entropy measures the worst-case predictability of X 
and the average min-entropy measures the worst-case predic- 
tability of X given knowledge of Y. [35] gave a bound on 


average min-entropy. 


Lemma 1 ([35]) Let X,Y and Z be random variables where Y 
has 2” possible values, then H,,(X|Y,Z) > Hoo(X|Z) —r. 


2.2 Canonical identification schemes 
We recall the definition of canonical identification schemes in 
[24]. 


Definition 1 A canonical identification scheme ID is a three- 
move protocol defined as a tuple of algorithms ID = (IGen, P, 
vV). 


e The key generation algorithm IGen takes as input the 
security parameter and outputs a key pair (pk, sk). We 
assume that pk defines the commitment set WSet, the 
challenge set ChSet and the response set ZSet. 

e The prover algorithm P = (P1,P2) is split into two 
algorithms. Pı takes as input the secret key sk and 
outputs a commitment a € WSet. P takes as input the 
secret key sk, a commitment a, a challenge c € ChSet 
and a state st and outputs a response z € ZSet. 

e The verifier algorithm V takes as input the public key pk 
and the transcript (a,c,z) and outputs 1 if accept 
otherwise 0. 


If the commitment a is uniquely determined by the 
challenge c and the response z, the transcript can be optimized 
by omitting a. This property holds for all lattice-based ID 


schemes considered in this paper. 

ID is divided into non-lossy ID and lossy ID. To construct 
leakage resilient FS-Sig schemes, we extend the definition of 
ID to the leakage setting. 


Definition 2 (Leakage resilient and sound ID) Let f be an 
arbitrary leakage function with bounded output length. We say 
ID is leakage resilient and sound (LRSound) if it has the 
following properties: 


1. Min-entropy We say ID has a bits of min-entropy if 
the min-entropy of the commitment a is at least a 
except with probability 27°. 

2. Non-abort honest verifier zero-knowledge We say ID 
is €,.-naHVZK (non-abort honest-verifier zero-know- 
ledge) if there exists a PPT simulator Sim which takes 
as input the public key pk and outputs a transcript 
(a’,c’,z’) that is statistically indistinguishable from a 
real transcript (a,c,z) and the statistical distance is at 
most €k. 

3. Leakage resilient soundness We say ID is €rs-LRSo- 


und if for any PPT adversary A, Advi (A) = 


Pr [Expt (4) = 1] < €&; where A is the security para- 


IMP 


meter, st is the state and EXP 4 īp 


experiment defined below: 
(a) (pk, sk) — IGen(1^). 
(b) (a, st) — Al pk, f(sk)). 
(c) c — ChSet. 

(d) z = Alc, st, f(sk)). 

(e) return V(pk,a,c,z). 


is the impersonation 


Definition 3 (Leakage resilient and lossy ID) Let f be an 
arbitrary function with bounded output length. We say ID is 
leakage resilient and lossy (LRLossy) if there exists a lossy 
key generation LIGen that takes as input the security 
parameter and outputs a lossy public key pkjs, and ID has the 
following properties: 


1. Min-entropy Same as that in Definition 2. 
2. Non-abort honest verifier zero-knowledge Same as 
that in Definition 2. 

3. Leakage resilient key indistinguishability We say ID 
is €,4;-LRKI (leakage resilient and key indistinguish- 
able) if the lossy public key pkıs is indistinguishable 
from a normal public key pk except with probability 
€irki even given leakage of the secret key f(sk). 

. Leakage resilient lossiness We say ID is &,;;-LRLossy 


i LOSSY-IMP _ 
if for any PPT adversary A, Adv,, (A) = 


Pr[Exp O YMP (4) = 1] < €rıs where A is the security 
parameter and Exp py YMP is the impersonation 
experiment with respect to the lossy public key: 

(a) pkis — LIGen(12). 

(b) (a, st) — Alpkis, f(sk)). 

(c) c — ChSet. 

(d) z = A(c, st, f(sk)). 

(e) return V(pkjs,a,c, z). 


& 


2.3 Security definition of digital signatures 
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We recall the security definition of (full) leakage resilience for 
digital signatures in [15], which is the standard notion of 
existential unforgeability against chosen-message attack (UF- 
CMA) except that we additionally allow the adversary to 
obtain the values of any arbitrary functions {f;} with bounded 
output length in total applied to the secret key (or all the 
randomness used in the signature scheme). 


Definition 4 ((Full) Leakage resilience) A signature scheme JI 
= (KeyGen, Sign, Verify) is (fully) leakage resilient in the 
bounded leakage model (BML) if for any PPT adversary A 
we have that Ady®)LR-UF-CMA( gy = Pr[Exp® “8 (a)] is neg- 


TI AN 
ligible in the security parameter A where the event Expy (a) 


is defined in the following experiment: 


1. Choose r e {0, 1}* and compute (pk, sk) — KeyGen(1*). 
Set state = {r}. 

2. Run A(1*, pk). The adversary can adaptively access a 
signing oracle and a leakage oracle that are defined as 
follows: 

e Signing queries. Upon receiving a message u; for 
the i-th query, the signing oracle chooses 
r; — {0, 1}* and computes o; — Sign(sk, u). It sets 
state = state U {r;} and returns oj. 

e Leakage queries. Upon receiving a description of 
fi for the ith query, the leakage oracle returns 
fi(state). 

3. The adversary A outputs a pair (u, 0). 

4. The event Expo A) occurs if: 

e Verify(u,o) = 1. 

e u was never queried to the signing oracle. 


Remark 1 If the input of the leakage function state only 
includes the secret key (or the randomness used to generate it), 
the definition is v-leakage resilient (LR) where v is the total 
amount of leakage, and if the state includes all the randomness 
used in the signature scheme, the definition is (v,v,)-fully 
leakage resilient (FLR). 


2.4 Hardness assumptions 


Definition 5 (SISgnm search problem) The SISgnmg search 
problem is given a random matrix A — Zy” to find a non- 
zero vector v € Z” such that Av = 0 and ||v|| < 8. 


Definition 6 (LWEgnm, decision problem) Let Ds be 
distributions over Z. The LWE4,n,m y decision problem is to 
distinguish the uniform distribution (A,t) € Zy” x Z4 and the 
LWE distribution (A,As+e mod q) where s € D¥,e € y with 
non-negligible probability. 


Remark 2 Similarly, by replacing mathematical structures, we 
can define structured variants of above assumptions, e.g., the 
NTRU-SIS problem, the Ring-LWE (RLWE) problem and the 
Module-LWE (MLWE) problem. 


2.5 Rejection sampling 

Rejection sampling is a powerful tool to construct secure 
lattice-based FS-Sig schemes. We recall the rejection samp- 
ling lemma in [6]. 
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Lemma 2 ([6]) Let f,g be probability distributions with the 
property that there exists a universal upper bound M € R such 
that Pr[Meg(z) = f(z);z — f] 2 1—e, then the output distribu- 
tions of the following two algorithms have negligible 


tatistical distance £ 
Statistical distance —: 
M 


f@) 1) 
Mg) | 
2. z — f, output z with probability min Va 


1. z — g, output z with probability min [ 


We present the definition of FS-Sig schemes from ID 
f 


schemes. Due to the rejection probability in the 


underlying ID scheme, the expected amount of times required 
by the signing algorithm to output a valid signature is M. 


Definition 7 (Fiat-Shamir signatures from ID schemes) Let ID 
= (IGen, P, V) be a canonical identification scheme. By the 
Fiat-Shamir transformation, the FS-Sig scheme FS[ID] = 
(KeyGen, Sign, Verify) from ID is defined as follows. 


KeyGen(12) 
(pk, sk) — IGen(1*) 
return (pk, sk) 


Sign(sk, 4) 

while z= 1do 
(a, st) — Pj (sk) 
c= H(ally) 

z — Pa(sk,a,c, st) 
Verify(pk,u,o) 


Parse = (c,z) end while 


return V(pk,a,c,z) ztacz (all) return o = (c,z) 


3 Leakage resilient Fiat-Shamir signa- 
tures 

In this section, we first show how to construct LR-FS-Sig 
schemes from LRSound and LRLossy ID schemes, and then 
instantiate ID schemes with lattice assumptions. 


3.1 Leakage resilient Fiat-Shamir signatures from sound ID 
schemes 

Our first result provides that the FS-Sig scheme FS[ID] is 
leakage resilient in BML model if the underlying ID is still 
sound even when the secret key is leaked. 


Theorem 1 Assume the identification scheme ID is €x- 
naHVZK, &,;-LRSound and has «œ bits of min-entropy, then 
FS[ID] is leakage resilient in BML model. Concretely, for any 
adversary A against FS[ID] making at most h hash queries to 
the random oracle and at most s signing queries, we have 


Advis) ^A < Ms: ex + Ms(s+h+1)-2-% + (ht 1): ers. 


Proof. We define a sequence of experiments and complete the 
proof of Theorem 3.1 by proving the indistinguishability 
between adjacent experiments. Without loss of generality, we 
assume that the signing algorithm is executed M times for 
each signing query. 

Expy. This is the original experiment. In this experiment, 
the challenger runs (pk, sk) — KeyGen(1’) and returns pk to 
the forger F. The challenger initializes the hash table and sets 
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hash counter hc to 0. 

Upon receiving a hash query, the challenger first checks 
whether (a,u) has been queried. If not, the challenger chooses 
c from the challenge set ChSet randomly and returns c to F. 
The challenger also increments hc by | and updates the hash 
table. Otherwise, the challenger returns the predefined c. 
Upon receiving a signing query, the challenger runs 
o + Sign(sk, u) and returns the signature o. In doing so, the 
challenger checks whether (a,u) has been queried. If not, the 
challenger randomly chooses c and sets c = H(al|u). Upon 
receiving a leakage query, the challenger returns f(sk) since it 
knows sk. 

Finally, F outputs a forgery (u,o). The challenger runs 
Verify(pk,u,) as the output. 

Exp,. Different from Expy, in Exp,, the challenge c is 
chosen at random regardless of whether (a,u) has been 
queried and then is reprogrammed as c = A(a||u), which will 
introduce a collision if (a,u) has been queried. To bound the 
collision probability, we assume that all the hash queries are 
asked at the beginning of the experiment. Since the 
commitment a has «œ bits of min-entropy, the probability that 
the collision happens in the i-th query is (M(i— 1)+h+1)-2~°. 
Thus, |AdVpgity (P) —AdVeguiy (FS Ms(s+h-+1)-2-%. 

Exp). The difference nee Exp, and Exp, is the way of 
generating signatures. In Exp,, upon receiving a signing 
query, instead of generating a signature with the secret key sk, 
the challenger runs (a,c,z) — Sim(pk,c) to generate o = (c,z). 
Due the naHVZK property, the statistical distance between the 
distribution of o in Exp, and in Exp, is at most e. Thus, 
|Advegnip (F) -Adv psp (FS Ms: ex- 


Exp, 
rea = (h+1)-&s. To prove 


this, we show that if there exists a forger F against FS[ID], 
we will build an adversary A that breaks the leakage resilient 
soundness of the underlying ID. Firstly the challenger of ID 
runs IGen to generate a key pair (pk, sk) and A forwards pk 
to the forger F. Since the challenger knows the secret key sk, 
it can answer leakage quires from F. Then A chooses a 
random index i in {1,...,4+1}. Upon receiving a hash query 
(ajj) from F, A first checks if j= i. If not, A chooses a 
random c; from the challenge set ChSet and returns it to F. 
Otherwise, A saves a; as a* and forwards it to the challenger. 
Then A returns c* received from the challenger to F. Upon 
receiving a signing query, A runs (a,c,z) — Sim(pk,c) to 
generate © =(c,z). Finally, F outputs a forgery (u*,(c*,z*)) 
and A forwards z* to the challenger. Clearly, A has properly 
simulated Exp, for F. Since the underlying ID is &;5- 
LRSound, we have Adv P) < (h+ 1): es. 


To sum up, we complete the proof of Theorem 1. 


Now we claim that Adv 


3.2 Leakage resilient Fiat-Shamir signatures from lossy ID 
schemes 

In this section, we show that the FS-Sig scheme FS[ID] is 
leakage resilient in BML model if the underlying ID is still 


Expo 
(pk, sk) — IGen(1*) 
while z = L do 


Exp, 
(pk, sk) — IGen(1“) 
while z = 1 do 

(a, st) — Pi (sk) 


Exp 
(pk, sk) — IGen(12) 
while z = L do 


(a, st) — Py (sk) : c <— ChSet 
= c — ChSet : 
elie aah pe Po(sk,a,c, sf) Oe ee 
end while Bi c = H(allu) end while” 
return o = (c,z) end while return o = (c,z) 
Ths return o = (c,z) TaS 


Exp; 
pkis — L1Gen(1*) 
while z = L do 
c — ChSet 
(a,c, z) — Sim(pk;;,c) 
c= Halu) 
end while 


return o = (c,z) 


key indistinguishable and lossy even when the secret key is 
leaked. 


Theorem 2 Assume the identification scheme ID is e- 
naHVZK, €rki-LRKI, €rıs-LRLossy and has œ bits of min- 
entropy, then FS[ID] is leakage resilient in BML model. 
Concretely, for any adversary A against FS[ID] making at 
most h hash queries to the random oracle and at most s 
signing queries, we have 


Advegap) AA) < Ms- ee + Ms(s +h 1)-2-%+ 


Erki + (A+ 1) > rts. 


Proof. Expo, Exp, and Exp, are the same as those defined in 
the proof of Theorem 3.1. 

Exp3. In Exp3, the challenger runs pks e LIGen(1’) to 
generate a lossy pk pkıs. By the key indistinguishability with 
secret key leakage of the underlying ID, we have 
Adv psn (P) -Adv psp P) < Erki. 


E 
rsi íA) < (h+ 1): Gis. As that 


in Theorem 3.1, we can build an adversary A against the 
impersonation experiment with respect to the lossy public key 
with the help of the forger F. Since the underlying ID is €rs- 
LRLossy, we have Advestip) (F) <(h41): Eris. 


It is remained to prove Adv 


3.3 Leakage resilient and sound ID scheme based on SIS 
In this section, we present an ID scheme based on the SIS 
problem. Ds,D, are the distributions for the secret key and 
randomness used in the prover algorithm, respectively. In our 
construction, Ds is a uniform distribution {-d,...,0,...,d}""* 
and Dy is a Gaussian distribution with standard deviation o”. 
The challenge c is a uniform binary string of length k and 
weight x. 
Next, we prove properties of the ID scheme respectively. 
Min-entropy We show that the min-entropy of the 
commitment w is at least n using the property of Gaussian 
distribution. Rewrite the matrix A in the Hermite Norm Form 


1) We can also choose Dy to be uniform distribution such as [—B, B] and D, is a uniform distribution accordingly. In this case, the criterion of rejection 
sampling is deciding if the response z falls into the range [—(B — ||Sclloo), B — ‘[Sclleo]. 
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1Gen(1*) P2(sk,a,c, st) 
Aez” Joyas: 
DY (z) 
return z = z with probability mini Dow’ 
VA 
S-Dp oe otherwise z = L ySe 
T=AS 
return 


(pk = (A,T), sk =S) 


Pi (sk) V(pk, a,c, 2) 
ye Dy if w = Az- Tc and |lz|| < no ym then 
w = Ay return | 
return 
a=w, st =(w,y) else 
return 0 
end if 


A =[A’ I], then we have for any t € Z% Pr[Ay = t;y — Dj] = 
Prly1 = (t—A’yo);y — DY] < max Pr[y; =t’;y; — Dy] <2™. 


Non-abort honest verifier zero-knowledge We construct 
the simulator Sim as follows. To generate a simulated 
transcript, z is sampled from a public distribution D} and 
outputted with probability M Due to the rejection sampling 
Lemma 2, the statistical distance between the two signature 

€ € 
distributions is —. Hence, ID is —-naHVZK. 
M M 


Algorithm Sim(pk = (A, T)) 


z<— Dy c — ChSet w = Az- Tc 


1 
return (a = w,c,z = Z) with probability M 


Leakage resilient soundness We claim that if the SISgnmg 
problem is hard for 8 = (2n0 + 2dk) ym = O(dn), the above ID 


. {1 sai 
scheme is 57 ) leakage resilient and sound for any 


e >0. To prove this, we construct an adversary B which will 
solve the SIS4,nm g problem with the help of the adversary A 
that breaks the leakage resilient soundness of ID. Given 
Ac Z B picks the secret key S — DER and then returns 
the public key pk = (A,T) to A. Upon receiving the leakage 
queries, 8 returns f(S) since it knows the secret key S. 
Finally, A outputs a valid transcript (c,z) for a given 
commitment w such that w = Az—Tc and ||z||.. < no ym. By 
the general forking lemma, 8 rewinds A to obtain a new 
transcript (c’,z’) on the same commitment w where c’ +c 
except with negligible probability. Thus, we have 
Az—Tc = Az’ —Tc’. This yields A(z- z’ +Sc—Sc’) = 0. 

Now we need to prove that z—z’ +Sc—Sc’ #0, meaning 
that we need to show that the secret key still has high min- 
entropy to ensure the secret key is not uniquely determined by 
the public key. A can only obtain additional information of 
the secret key from the public key and leakage queries, and the 


1 
total bits leaked is at most 2- 77E) |sk|. Thus the probability 


that H..(S|F’sview)=0 (the secret key S is uniquely 
determined by the view of A) is at most 272€lskl, which is 
negligible. Therefore there exists at least one S’ such at 
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IGen(12) P2(sk,a,c, st) 
nxm 

Asz z = [zi llz2] = y + [SIIE]c 
return z = Z = ith babili 

TE pet u Pa a with probability 
mi aut eee 1 |, otherwise z = L 

pmtn (z) 

be p% yASIE]e 

T=AS+E 

return 

(pk = (A,T), sk = (S, E)) 

Pi (sk) V(pk, a,c, z) 

yi = Dy if w = Azı +z — Tc and |izllo < no ym+n 

ye Dy return | 

y =lyilly2] else 

w= Ay) +y2 return 0 

return a = w, st = (w,y) endif 


Algorithm LIGen(14) 
Ac zx Se prk 
return pk); = (A, T) 


Ee Dk T ezp% 


S’ + S,AS = AS’ and with at least 1/2 probability we have a 
non-zero solution z—z’+Sc—Sc’ to the SIS} nmg problem 
and ||z—z’ +Sc—Sc’|| < (2no + 2dk) ym. 


3.4 Leakage resilient and lossy ID scheme based on LWE 

In this section, we construct an ID scheme based on the LWE 
problem. In our construction, the secret distribution Ds and 
the error distributions Dg are Gaussian distributions yg with 
standard deviation os = cg =a, but it also works for that Ds 
is uniform distribution. The distribution D, and D; remain 
unchanged from Section 3.3 where Dy is a Gaussian 
distribution with standard deviation o and D, is the distri- 
bution D, shifted by an offset vector. 

The properties of min-entropy and naHVZK are almost the 
same as those in non-lossy ID. The lossy key generation 
algorithm LIGen is given below. 

Leakage resilient key indistinguishability Since the 
normal public key is an LWE instance and the lossy public 
key is chosen at random, the key indistinguishability is 
essentially the decisional LWE problem. Hence, we need to 
prove that LWE remains hard with secret key leakage, which 
is exactly the entropic LWE problem proposed by [20]. 

[20] showed the hardness of entropic LWE, whose secret is 
sampled from an arbitrary distribution with sufficient min- 
entropy, can be reduced to the standard LWE. However, this 
result requires that the modulus-to-noise ratio is super- 
polynomial. Later, [36] improved the parameters of [20] and 
proved the hardness of entropic LWE when the modulus and 
the modulus-to-noise ratio are polynomials. Above proofs 
relies on the fact the secret is short, and recent work [21] 
removed the requirement and resolved the hardness of 
Entropic LWE with arbitrary long secrets. 


Lemma 3 (Entropic LWE) Assume that the LWEgnsy, 
problem is hard, then the entropic LWEgym,y. problem whose 
secret is sampled from any distribution with min-entropy at 
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1—w(logm) 


least / is also hard where t < and œ = poly(). 


The obstacle lies in the leakage of the error term E, which is 
also part of the secret key. In an LWE-based FS-Sig scheme, 
the adversary can obtain information of both S and E, and the 
entropic LWE problem cannot apply directly. We solve this 
problem by proving the hardness of the LWE problem with 
simultaneous leakage. The proof idea is reducing the leakage 
of E to the leakage of S with the help of A and T. Let (/;,/2)- 
LWE,g,n,m,yq denote that at most l; bits of secret S, l2 bits of 
error E will be leaked. Obviously, l2 =0 is exactly the case 
ensured by the standard entropic LWE problem. 


Lemma 4 Assume that the (/,0)-LWEg nm. problem is hard, 
then the (l1, l2)-LWE4,n,m, ya problem is hard for / > l +l. 


Proof. Assume that there exists a PPT adversary A that breaks 
the LWE problem with simultaneous leakage, we will 
construct another adversary 8 breaks the standard entropic 
LWE problem with the help of A. We construct B as follows: 


e B forwards (A,T) obtained from the entropic LWE 
problem to A. 
e Upon receiving a leakage query f;(S, E) from A: 
1. B defines a new function f/(S) = fi(S,T—AS) with 
public A and T. 
2. B submits the leakage query f/(S) to the entropic 
LWE problem and returns the output to A. 
e B forwards the output of A to the entropic LWE 
problem. 


It can be seen that 8 has properly simulated the LWE problem 
with simultaneous leakage for A. Hence, (/1,/2)-LWEgnmyo 18 
hard if (/,0)-LWEgnm,yq is hard for l > h +l. 

Leakage resilient lossiness The proof idea follows that in 
[19,23,24]. In the lossy mode, for a fixed commitment, there is 
only one valid challenge-response pair except with negligible 
probability, thus the probability of the adversary that returns a 
valid transcript given the lossy pk is at most 1 /|ChSetl. 


Lemma 5 Let A — Zp”, T — Z}**. Then 


Pr[A(z1,2Z2,c) € D; X D; X ChSet s.t.Az, +Z2 = Tc 
26 1 n 2 1 m+n 
<(‘ oa vere) }-1ohset. 


mod q] 


qhk q” 


Proof. There are two cases according to whether z4 is zero. 
Case 1: z; =0. 


Pr[A(z2,c) € D; x ChSets.t.z2 = Tc mod q] 
< > Pr [T=22-c7] 

22€D} ,ceChSet T-Z“ 
2 1 _ Q6a+1)" 
= mk nk 
Zo €Dy,ceChSet q” q” 


(1) 
-|ChSetl, 


where the last inequality follows from the tail property of 
Gaussian distribution and c is invertible in R, ([37]) if 
q=5 mod 8 and 0 <Iclloo < 9/2. 

Case 2: zı #0 and we assume the first element in Z; is non- 
Zero. 


Pr[A(z1,Z2,c) € D; X D; X ChSets.t.Az, +Z2 = Tc mod q] 
< > Pr [az = —A’'z, -z2 + Tc mod q] 
2 €D?"\(0}.27€Di.ceChSet** “4 


m+n 
Z 1 : (26a + 1) 


a 5 -|ChSetl. 
2 €D¥" \{0},22€Dy ,ceChSet q 
(2) 
Combining Eqs. (1) and (2), we get the statement claimed in 
Lemma 5. 

We are ready to prove the lossiness property. Let A be the 
adversary against the impersonation experiment. The 
challenger first returns A the lossy public key. Upon receiving 
a leakage query from A, the challenger forwards it to the 
LWE problem with simultaneous leakage. Since the lossy pk 
T is sampled uniformly and is independent of the secret key 
(S,E), the leakage of the secret key is useless for A. Finally, 
A outputs a valid transcript (c,z) for a given commitment w 
such that w=Az,;+zZ2—Tc. Now we need to bound this 
probability. 

Suppose for a fixed commitment w = Ayı +y2, there exist 
two valid challenge-response pairs (c,z) and (c’,z’). Then we 
have w= AZ +z2 -Tc = AZ) +z -Tc’, which can be 
rewritten as A(z; — Z1) + (Z2 - z4) = T(c - c’). By Lemma 5, the 
above equation can be solved with negligible probability. 
Hence, there exists at most one valid challenge-response pair 
for a fixed commitment, meaning that the success probability 
of A is at most 1/|ChSet|, which is also negligible. 


4 Fully leakage resilient Fiat-Shamir sig- 
natures 
Previous works [15,17] showed that Fiat-Shamir type 
signature schemes are fully leakage resilient in the bounded 
and continuous leakage model respectively. However, we 
notice there are some flaws in their proofs. In the full leakage 
model, key leakage comes from the public key, the signing 
queries and the leakage queries. In FS-Sig schemes, the 
randomness y is used to mask the secret key to generate a 
signature z= y + Sc. If y is random, the signing queries do not 
reveal any additional information about the secret key but if y 
is leaked, the adversary may recover the secret key if he can 
obtain enough signatures. The min-entropy of the secret key 
decreased by signatures is not considered in [15,17], making 
the result that FS-Sig schemes are fully leakage resilient 
invalid. Since the leakage caused by signatures seems 
unavoidable, we show how to bound the leakage caused by 
signatures in this section. 

First, we prove the full leakage resilience of FS-Sig schemes 
in a different way. For this, we define a property called state 
reconstruction. 


Definition 8 (State reconstruction property) A signature 
scheme has state reconstruction property if there exists a 
simulator S such that for any PPT adversary A, 


(r, o) Xe (r’,o’), 
where r e {0,1}!",o — Sign(sk,u;n);0’ — {0,1}", — S(O’, 
Dk, sk, p). 
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The only difference in the fully leakage resilient experiment 
and the leakage resilient one is that all the state including the 
secret key and randomness can be leaked in the former, while 
only secret key is allowed to leak in the latter. Using the state 
reconstruction property, we can prove leakage resilient 
signature schemes are fully leakage resilient by reducing 
leakage of the state to leakage of the secret key. 


Theorem 3 Leakage resilient signatures with state reconstruc- 
tion property are fully leakage resilient. 


Proof. Assume that there exists a PPT adversary A that breaks 
the full leakage resilience of signature schemes, then we will 
construct an adversary B that uses A as a subroutine and 
breaks the leakage resilience of signature schemes. We 
construct $ as follows: 


e B obtains pk from the challenger of leakage resilient 

signature schemes, and sends it to A. 

e Upon receiving a signing query on message yz; from A, 

8 runs the challenger to generate oj. 

e Upon receiving a leakage query fj(sk,ri), B does as 
follows: 

1. Run the state reconstruction property simulator S and 
define a new leakage function f’ (sk) = fi(sk,S(@7, pk, 
sk, ui)). 

2. Submit a leakage query f; (sk) to the challenger and 
return the output to A. 

e B forwards the forgery pair (u,o) from A to the 
challenger. 


It can be seen that by simulating leakage of the state with 
the leakage oracle in leakage resilient signature schemes, B 
has properly simulated the fully leakage resilient experiment 
for A. Hence, leakage resilient signatures with state recons- 
truction property are fully leakage resilient. 

Now turn our attention to lattice-based signatures, we claim 
that leakage resilient FS-Sig schemes over lattices in the form 
of z=y+Sc have state reconstruction property. Obviously, 
given a random signature (c,z), randomness y can be written 
as y =Z-cX sk. That is, on inputs g, sk,u, randomness can be 
computed easily and the simulation can be done by the 
leakage oracle in leakage resilient FS-Sig schemes. Hence, we 
obtain the following conclusion. 


Corollary 1 Lattice-based leakage resilient FS-Sig schemes in 
form of z = y + Sc are fully leakage resilient. 


Finally, for completeness, we present a signature scheme 
transformed from the SIS-based ID scheme proposed in 
Section 3.3. To sign a message, we need a random oracle H to 
hash the message to a uniform binary string of length k and 
weight x, denote by H:{0,1}* > BK = {v : ve {-1,0,1}, 
lvl < x}. According to Theorem 3.1 together with Corollary 
1, we conclude that the signature scheme in leakage resilient 
and thus fully leakage resilient in BML model. 


(Full) Leakage resilience of Fiat-Shamir signatures over lattices 9 


KeyGen(1*) Sign(sk, 4) 
A r= gnxm 
q while z = 1 do 

Se Dek y = Dy 

T=AS w = Ay 

return (pk = (A,T),sk= S) c= H(wlly) 
zZ=y+Sc 

? return o = (c,z) with probabili 

Verify(pk, u,7 = (c,Z)) DO ) p y 

min| SLAA , otherwise z = L 
Dy'sc(2) 

if c = H(Az-— Tcl) and f 

\|zl| < no ym then 

return | end while 

else 

return 0 

end if 


5 Application to existing lattice-based 
Fiat-Shamir signatures 

In this section, we apply our framework to existing FS-Sig 
schemes over lattices to explore their leakage resilience and 
results are displayed in Tables 1 and 2. Since the first 
signature scheme [6] via Fiat-Shamir with aborts structure, 
several optimization techniques are proposed to reduce the key 
and signature sizes, including signature compression, public 
key compression, bimodal Gaussian and choosing structured 
lattices. Next, we briefly analyze the leakage resilience of 
signatures using these optimization techniques. 

In terms of FS-Sig schemes based on the SIS problem or its 
variants, there are two schemes. [6] is exactly the signature 
scheme from SIS-based LRSound ID in Section 3.1 using the 
Fiat-Shamir transformation, hence [6] is FLR secure in BML 
model. The other scheme BLISS [7] is based on NTRU-SIS. 
One difference from [6] is the NTRU lattice, which does not 
affect the security analysis against leakage. Besides, BLISS 
utilized the bimodal Gaussian distribution in the rejection 
sampling, leading that the signature is in the form of 
z=y+(-1)’Sc. Since b is hidden, the state reconstruction 
property fails for BLISS. Thus, we can only prove BLISS is 
LR secure. 

In terms of LWE (or its variants) based Fait-Shamir 
signatures”), current optimization techniques will indeed affect 
the leakage resilience security. (1) Signature compression 
technique. In LWE-based FS-Sig schemes, the secret key 
including two parts: secret and error of (R/M)LWE, corres- 
ponding to two responses Z; and z2. [8] proposed the signature 
compression technique which completely removes z2 to 
reduce the signature size. Correspondingly, only one random- 
ness yj; is left in the signing algorithm. Hence, the compressed 
signature can also be used to prove the state reconstruction 
property. (2) Mathematical structure. As mentioned in Section 
3.4, the LRKI property of lossy ID is reduced to the hardness 
of entropic LWE. So this property of Dilithium [3] and 
qTESLA [9] over structured lattices is reduced to hardness of 
entropic structured LWE (e.g., RLWE and MLWE), which is 


2) The underlying ID schemes of existing LWE-based FS-Sig schemes [3, 8, 9] are not lossy due to parameter sets, but we can select appropriate parameters to 


make them lossy in a similar way to that in [24]. 


10 


Table 3 Comparisons between the proposed schemes and the existing ones 
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Scheme Public key size Secret key size Signature size Assumption 
Lyul2-Sig [6] n-(m+k)-logq m-k-log(2d+ 1) m-log(120) +k SISg,n,m g 
Our SIS-base scheme n-(m+k)-logg m-k-log(2d + 1) m-log(120) +k SISgnmp 
BG14-Sig [8] n-(m+k)-logq (m+n)-k-log(12a) (m+n)-log(1207) +K LWEgnm.yo 


Our LWE-base scheme" n- (m +k’)-logq’ 


Note: Roughly estimated, it holds that n’ = 2n,m = 2m,k’ = 2k,q' = @.t< 


(m +n’)-k’ -log(12a) 


E 1-w(logm’) 


(m +n’)-log(120) +k LWEg nixa 


where / is the leakage bound 


proved in [38]. Unfortunately, the proof in [38] utilized 
properties of Gaussian distribution of error, Dilithium and 
qTESLA are based on non-standard structured LWE with 
uniform error, resulting in the LRKI property fails. (3) Public 
key compression technique. To reduce the public key size, [3] 
compressed the public key by throwing away low-order bits. 
The complete public key is used to reduce the LWE problem 
whose secret key and error leak simultaneously to a standard 
entropic LWE problem. Hence schemes with compressed 
public key are not LR secure, let alone FLR. In summary, the 
ancestor [8] of Dilithium and qTESLA is FLR secure, but the 
leakage resilience of Dilithium [3] and qTESLA [9] needs to 
be further explored, wherein, qTESLA is FLR secure if the 
hardness of entropic structured LWE with uniform error holds. 

Finally, we compare the proposed schemes with the existing 
schemes in terms of public key size, secret key size, signature 
size and assumption. Since the proposed signature schemes 
are basic, comparisons are performed between proposed 
schemes and basic schemes of [6] and [8], and none of 
optimization techniques is considered here. The results are 
given in Table 3. 

As shown in Table 3, the key and signature sizes and 
assumption in two SIS-based schemes are identical and no 
additional overhead is introduced to achieve the (full) leakage 
resilience. However, in LWE-based schemes, the parameters 
in our proposed LWE-based scheme are generally O(1) times 
larger in the same security level, thus the sizes in the concrete 
scheme are larger. In general, although new parameters are 
enlarged, they have the same order of magnitude with original 
ones. 

Note that existing optimization techniques which are 
compatible with the leakage resilience such as signature 
compression can be applicable to proposed schemes to obtain 
more efficient schemes. Generally speaking, a certain degree 
of efficiency is always sacrificed to achieve higher security, 
which is reasonable. 


6 Conclusion 

In this paper, we propose a framework to construct fully 
leakage resilient FS-Sig schemes in BML model. Concretely, 
we first construct leakage resilient FS-Sig schemes from 
LRSound and LRLossy ID schemes, and then turn them to 
fully leakage resilient ones by showing they satisfy state 
reconstruction property. Later, we utilize lattice assumptions 
to instantiate leakage resilient ID schemes. Finally, we analyze 
the security of existing lattice-based FS-Sig schemes in the 
presence of leakage by applying our framework. 
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